[Federal Register Volume 79, Number 116 (Tuesday, June 17, 2014)]
[Notices]
[Pages 34539-34542]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2014-14038]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Centers for Medicare and Medicaid Services
Privacy Act of 1974; Report of New System of Records
AGENCY: Centers for Medicare & Medicaid Services (CMS), Department of
Health and Human Services (HHS).
ACTION: Notice of New System of Records (SOR).
-----------------------------------------------------------------------
SUMMARY: In accordance with the requirements of the Privacy Act of
1974, we are proposing to establish a new SOR, titled ``CMS Encounter
Data System (EDS)'', System No. 09-70-0506. CMS intends to collect
encounter data, or data on each item or service delivered to enrollees
of Medicare Advantage (MA) plans offered by MA organizations as defined
at Title 42, Code of Federal Regulation (CFR), Sec. 422.4. Pursuant to
42 CFR 422.310, each MA organization must submit encounter data to CMS
that is used to determine the risk adjustment factors for payment,
updating the risk adjustment model, calculating Medicare
Disproportionate Share Hospital (DSH) percentages, Medicare coverage
purposes, and quality review and improvement activities. Encounter data
will be collected and maintained in the EDS.
Under the authority granted in Section 1115 of the Social Security
Act (the Act), CMS is authorized to conduct experimental, pilot or
demonstration
[[Page 34540]]
projects. CMS is conducting a demonstration project under the Financial
Alignment Initiative to test a new capitated payment system and item/
service delivery model designed to lower costs and improve the quality
of care for individuals eligible for both Medicare and Medicaid (dual
eligibles). CMS and the participating State Medicaid agency jointly
contract with health plans (known as Medicare-Medicaid Plans or
``MMPs''). MMPs are paid monthly on a capitated basis and are required
to submit to CMS comprehensive encounter data on each item or service
provided to each enrollee, including both Medicare and Medicaid items
and services. The program and the SOR are more thoroughly described in
the Supplemental Information section and System of Records Notice
(SORN), below.
DATES: Effective 30 days after publication. Written comments should be
submitted on or before the effective date. HHS/CMS/CM may publish an
amended SORN in light of any comments received.
ADDRESSES: The public should send comments to: CMS Privacy Officer,
Division of Privacy Policy, Privacy Policy and Compliance Group, Office
of E-Health Standards and Services, Offices of Enterprise Management,
CMS, Room S2-24-25, 7500 Security Boulevard, Baltimore, Maryland 21244-
1850. Comments received will be available for review at this location,
by appointment, during regular business hours, Monday through Friday
from 9:00 a.m.-3:00 p.m., Eastern Time zone.
FOR FURTHER INFORMATION CONTACT: Shari Kosko, Division of Encounter
Data and Risk Adjustment Operations, Medicare Plan Payment Group,
Center for Medicare, Centers for Medicare & Medicaid Services, Mail
Stop C1-13-07, 7500 Security Boulevard, Baltimore, Maryland 21244-1850.
The telephone number is (410) 786-6159 or email:
[email protected].
SUPPLEMENTARY INFORMATION: Medicare beneficiaries who receive both Part
A and Part B benefits may elect to receive their Medicare coverage by
enrolling in a plan offered by a MA organization or certain other
Medicare private plans. MA plans must provide all Medicare-covered
items and services, and may also provide additional benefits not
covered by Original Medicare. CMS pays MA organizations on a monthly
capitated rate for each beneficiary enrolled, and the MA organizations
are responsible for paying providers for items and services that are
provided to enrolled beneficiaries. All MA organizations are required
to submit encounter data that CMS uses to adjust the advanced monthly
payments made to the MA organization.
CMS will collect encounter data for all items and services provided
to MA plan enrollees covered by all MA organizations in the states
where the demonstration projects are being conducted. In the case of
cost plans, only encounter data for items and services covered by the
plans will be collected. None of the data that will be included in the
EDS will come from Medicare Part A or Part B data, nor will any
additional identifiers be provided in the EDS data submitted by the MA
organizations. However, the data submitted to EDS will be provided into
the Integrated Data Repository (IDR) and will be available along with
Medicare Part A and Part B data.
Beginning with calendar year 2007, 100 percent of monthly payments
to MA organizations have been subject to adjustment based on risk
adjustment factors. Given the increased importance of the accuracy of
our risk adjustment methodology, CMS amended 42 CFR 422.310 in August
of 2008 to authorize the collection of data from MA organizations
regarding each item and service provided to a MA plan enrollee. Once
encounter data for MA enrollees are available in the EDS, CMS will have
beneficiary-specific information on the utilization of items and
services by MA plan enrollees. These data will primarily be used to
develop and calibrate the CMS hierarchical condition categories (CMS-
HCC) for risk adjustment models using MA patterns of diagnoses and
expenditures. These new models will be used to calculate the risk
adjustment factors used to adjust advanced monthly payments to MA plans
made by CMS on behalf of beneficiaries. The data will also be used for
other purposes such as calculating Disproportionate Share Hospital
(DSH) payments and quality improvement activities, etc. as outlined in
42 CFR 422.310(f).
The types of MA organizations that CMS collects encounter data from
include: coordinated care plans (including Special Needs Plans),
private fee for service plans, and a combination of a MA Medical
Savings Account (MSA) and a contribution into a MA MSA established in
accordance with 42 CFR 422.262. These categories also include Medicare
Advantage-Prescription Drug plans, Program-of-All-Inclusive-Care-for-
the-Elderly-(PACE) organizations, Employer Group Health Plans (EGHPs),
Section 1833 health care prepayment plans (HCPPs) and Section 1876
plans operated by an HMO or Competitive Medical Plan (HMO/CMP) (42
U.S.C. 1833 and 42 U.S.C. 1876, referred to collectively as ``cost
plans'').
The encounter data that CMS collects includes, the identity of the
Medicare beneficiary, the provider, the place of service, and the item
or service provided. In addition to identifying information about the
beneficiary and provider, other significant data elements submitted by
the MA organization include, claim pricing information, contact
information, service provider information, revenue center codes,
modifiers, Healthcare Common Procedure Coding System (HCPCS) codes, and
Current Procedural Terminology (CPT) codes.
The Privacy Act
The Privacy Act (5 U.S.C. 552a) governs the means by which the
United States Government maintains personally identifiable information
(PII) in a system of records. A ``system of records'' is a group of any
records under the control of a Federal agency from which information
about individuals is retrieved by name or other personal identifier.
The Privacy Act requires each agency to publish in the Federal Register
a system of records notice (SORN) identifying and describing each
system of records the agency maintains, including a description of the
categories of records maintained in the system, the source(s) of
records in the system, the purposes for which the agency uses PII in
the system, the routine uses for which the agency discloses such
information outside the agency, and how individual record subjects can
exercise their rights under the Privacy Act (e.g., to determine if the
system contains information about them).
SYSTEM NUMBER: 09-70-0506
SYSTEM NAME:
CMS Encounter Data System (EDS), HHS/CMS/CM.
SECURITY CLASSIFICATION:
Sensitive, unclassified.
SYSTEM LOCATION:
CMS Data Center, 7500 Security Boulevard, North Building, First
Floor, Baltimore, Maryland 21244-1850; CDS Columbia Data Center EDC2,
I-20 at Alpine Road, AA-278, Columbia, SC 29219; and at various
contractor sites.
CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
Information maintained in this system includes identifying
information of individuals and beneficiaries who have enrolled in a MA
plan (including coordinated care plans, Special Needs
[[Page 34541]]
Plans, private fee for service plans, Medicare Medical Savings
Accounts, PACE organizations, MMPs, and MA-PD plans) (Medicare
Advantage plus Part D plans) (collectively, ``MA plan enrollees''),
whose information is reported by a Medicare provider, supplier,
physician, or other practitioner. It also includes identifying
information of those health care professionals who provide the items or
services to individuals during a service year.
CATEGORIES OF RECORDS IN THE SYSTEM:
The system contains the name and other identifying information of
the MA plan enrollee, beneficiary; and the name, work address, work
phone number, social security number, National Provider Identification
Number (NPI) of servicing providers, supplier, physician, or other
practitioner. CMS will collect the admission date, discharge date,
health insurance claim number (HICN), Medicare hospital number/CCN (CMS
Certification Number) and other identifying demographics of individuals
necessary to characterize the context and purposes of each item and
service provided to a Medicare enrollee by a provider, supplier,
physician, or other practitioner. MA plans will make data collection
changes from 5 data elements currently collected to all of the required
data elements on the HIPAA 5010 version of the X12 standards.
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
Section 1853(a)(3)(B) of the Act requires that MA organizations and
certain other private Medicare plans submit data regarding inpatient
hospital and other services that CMS deems necessary to risk adjust
these payments. The final 2009 Inpatient Prospective Payment System
rule (73 FR 48757, August 19, 2008) modified 42 CFR 422.310 to clarify
that the Secretary has the authority to require MA organizations and
other private plans to submit encounter data for each item and service
provided to a MA plan enrollee. Information for the Financial Alignment
Initiative is being collected from MA plans that provide an integrated
set of Medicare and Medicaid services through the demonstration project
authorized under section 1115 of the Act.
PURPOSE(S) OF THE SYSTEM:
The primary purpose of the SOR is to collect and maintain encounter
data for each item and service provided to MA plan enrollees reported
by a Medicare provider, supplier, physician, or other practitioner. CMS
will collect information necessary to determine the risk adjustment
factors used to adjust payments, calculate Medicare DSH percentages,
conduct quality review and improvement activities, and for other
Medicare coverage purposes. Information retrieved from this SOR will
also be disseminated or disclosed to: (1) Support regulatory,
reimbursement, and policy functions performed within the Agency or by a
contractor, consultant, or a CMS grantee; (2) assist another Federal
agency, agency of a state government, an agency established by state
law, or its fiscal agent; (3) assist MA plans with required collection
of encounter data obtained from the provider, supplier, physician, or
other practitioner that furnished the item or service; (4) support an
individual or organization for a research; (5) support litigation
involving the Agency related to this SOR; (6) to assist a contractor
combat fraud, waste, and abuse in certain health care programs; (7) to
assist another Federal agency combat fraud, waste, and abuse; (8) to
assist appropriate Federal agencies and CMS contractors and consultants
to assist in CMS' efforts to respond to a suspected or confirmed
breach; (9) assist the U.S. Department of Homeland Security (DHS) cyber
security personnel; and (10) assist with emergency preparedness.
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES
OR USERS AND THE PURPOSES OF SUCH USES:
Entities Who May Receive Disclosures Under Routine Uses
These routine uses specify circumstances, in addition to those
provided by statute in the Privacy Act of 1974, under which CMS may
release information from the EDS without the consent of the individual
to whom such information pertains. Each proposed disclosure of
information under these routine uses will be evaluated to ensure that
the disclosure is legally permissible under 42 CFR 422.310, including
but not limited to ensuring that the purpose of the disclosure is
compatible with the purpose for which the information was collected. We
propose to establish the following routine use disclosures of
information maintained in the system:
1. To Agency contractors, consultants, or CMS grantees who have
been engaged by the Agency in order to support them in accomplishment
of a CMS function relating to the purposes for this collection and who
need to have access to the records in order to assist CMS.
2. To another Federal agency, agency of a state government, an
agency established by state law, or its fiscal agent in order to:
a. Contribute to the accuracy of CMS' proper payment of Medicare
benefits,
b. enable such agency to administer a Federal health benefits
program, or as necessary to enable such agency to fulfill a requirement
of a Federal statute or regulation that implements a health benefits
program funded in whole or in part with Federal funds, and/or
c. fulfill oversight, regulatory, or policy functions performed by
such agency.
3. To assist MA plans with the required collection of encounter
data, which is to be obtained from the provider, supplier, physician,
or other practitioner that furnished the item or service.
4. To an individual or organization to support or assist them with
(a) a research, evaluation or epidemiological project related to the
prevention of disease or disability, the restoration or maintenance of
health, (b) payment related projects, and (c) analysis of the provision
of health services.
5. To provide information to the U.S. Department of Justice (DOJ),
a court, or an adjudicatory body when (a) CMS or any component thereof,
or (b) any employee of CMS in his or her official capacity, or (c) any
employee of CMS in his or her individual capacity where the DOJ has
agreed to represent the employee, or (d) the United States Government,
is a party to litigation or has an interest in such litigation, and by
careful review, CMS determines that the records are both relevant and
necessary to the litigation and that the use of such records by the
DOJ, court, or adjudicatory body is compatible with the purpose for
which the agency collected the records.
6. To a CMS contractor (including but not limited to Medicare
Administrative Contractors) that assists in the administration of a
CMS-administered health benefits program, or to a grantee of a CMS-
administered grant program, when disclosure is deemed reasonably
necessary by CMS to prevent, deter, discover, detect, investigate,
examine, prosecute, sue with respect to, defend against, correct,
remedy, or otherwise combat fraud, waste or abuse in such program.
7. To another Federal agency or to an instrumentality of any
governmental jurisdiction within or under the control of the United
States (including any state or local governmental agency), that
administers or that has the authority to investigate potential fraud,
waste or abuse in a health benefits program funded in whole or in part
by Federal funds, when disclosure is deemed reasonably necessary by CMS
to prevent, deter, discover, detect,
[[Page 34542]]
investigate, examine, prosecute, sue with respect to, defend against,
correct, remedy, or otherwise combat fraud, waste or abuse in such
programs.
8. To appropriate Federal agencies and CMS contractors and
consultants that have a need to know the information for the purpose of
assisting CMS' efforts to respond to a suspected or confirmed breach of
the security or confidentiality of information maintained in this SOR,
provided that the information disclosed is relevant and necessary for
that assistance.
9. To the U.S. Department of Homeland Security (DHS) cyber security
personnel, if captured in an intrusion detection system used by HHS and
DHS pursuant to the Einstein 2 programs.
10. To disclose the personally identifiable information of MA plan
enrollees to public health authorities, and those entities acting under
a delegation of authority from a public health authority, when
requesting such information to carry out statutorily-authorized public
health activities pertaining to emergency preparedness and response.
Disclosures under this routine use will be limited to ``public health
authorities'', ``public health activities'', and ``minimum necessary
data'', as defined in the HIPAA Privacy Rule (45 CFR 154.502,
164.512(b), 164.502(b) and 164.514(d)(3)(iii)(A)).
POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING,
AND DISPOSING OF RECORDS IN THE SYSTEM
STORAGE:
All records are stored on magnetic media.
RETRIEVABILITY:
All records are accessible by NPI/NPPES or by beneficiary HICN.
This system supports both on-line and batch access. The EDS system
itself does not provide reporting capabilities. All reporting
functionality can be found in the IDR.
SAFEGUARDS:
Personnel having access to the system have been trained in the
Privacy Act and information security requirements. Employees who
maintain records in this system are instructed not to release data
until the intended recipient agrees to implement appropriate
management, operational, and technical safeguards sufficient to protect
the confidentiality, integrity and availability of the information and
information systems, and to prevent unauthorized access. Access to
records in the EDS will be limited to CMS personnel and approved
contractors.
RETENTION AND DISPOSAL:
Records containing PII will be maintained for a period of up to 10
years after entry in the database. Any such records that are needed
longer, such as to resolve claims and audit exceptions or to prosecute
fraud, will be retained until such matters are resolved. Enrollee
claims records are currently subject to a document preservation order
and will be preserved indefinitely pending further notice from the DOJ.
SYSTEM MANAGER AND ADDRESS:
Director, Division of Risk Adjustment Payment and Policy, Medicare
Plan Payment Group, Center for Medicare, Centers for Medicare &
Medicaid Services.
NOTIFICATION PROCEDURE:
Individuals wishing to know if this system contains records about
them should write to the system managers and include the pertinent
personal identifier used for retrieval of their records (i.e., TIN, NPI
or HICN).
RECORD ACCESS PROCEDURE:
Individuals seeking access to records about them in this system
should follow the same instructions indicated under ``Notification
Procedure'' and reasonably specify the record contents being sought.
(These procedures are in accordance with HHS Privacy Act regulations at
45 CFR 5b.5 (a)(2)).
CONTESTING RECORD PROCEDURES:
Individuals seeking to contest the content of information about
them in this system should follow the same instructions indicated under
``Notification Procedure.'' The request should reasonably identify the
record and specify the information being contested; state the
corrective actions sought, and provide the reasons for the correction,
with supporting justification. (These procedures are in accordance with
HHS Privacy Act regulations at 45 CFR 5b.7).
RECORD SOURCE CATEGORIES:
Sources of information contained in this records system include
data collected from MA organizations and encounter data obtained from
the provider, supplier, physician, or other practitioner that furnished
the item or service.
SYSTEMS EXEMPTED FROM CERTAIN PROVISIONS OF THE ACT:
None.
Celeste Dade-Vinson,
Health Insurance Specialist, Centers for Medicare & Medicaid Services.
[FR Doc. 2014-14038 Filed 6-16-14; 8:45 am]
BILLING CODE 4120-03-P